The platform, owned by Chinese tech giant ByteDance, was also given a six-month deadline to fix its data practices or risk being banned from transferring EU user data to China.

The regulator said TikTok failed to guarantee that personal data belonging to users in the EU, data that was at times remotely accessed by staff in China, was being adequately safeguarded. The platform’s explanations didn’t convince the DPC. 

In fact, TikTok couldn’t show that the Chinese laws governing data access, including counter-espionage regulations, did not clash with the high standards required by the EU’s General Data Protection Regulation (GDPR).

Despite TikTok’s protests, the DPC stood firm. It found that TikTok’s use of “standard contractual clauses” did not go far enough in addressing the risk that Chinese authorities could demand access to European user data.

And while TikTok insisted that no such request has ever been made by Chinese authorities, that didn’t change the outcome. The DPC made its ruling based on the risks—not just past actions.

Here’s where things get even more serious. During the course of the DPC’s four-year investigation, TikTok repeatedly claimed that no EU data was stored in China.

But earlier this year, the company admitted that it discovered some data had been stored in China after all. The data was deleted, they said, but the damage was already done.

Deputy Commissioner Graham Doyle didn’t hold back: “The DPC is taking these recent developments very seriously. We are considering what further regulatory action may be warranted.”

This is not the first time TikTok has found itself in trouble with EU regulators. Just last year, the company was fined €345 million for mishandling children’s personal data.

TikTok has vowed to fight the latest decision. In a statement, the company said, “This ruling risks setting a precedent with far-reaching consequences for companies and entire industries across Europe that operate on a global scale.”

It claims to have rolled out robust changes since 2023 under a data protection initiative called Project Clover. The project includes three new data centres in Europe and oversight by the British cybersecurity firm NCC Group.

With over 175 million users across Europe, TikTok insists its updated policies are some of the strongest in the tech industry. But the DPC isn’t buying it—not yet.

Until TikTok brings its data handling practices in line with EU law, the platform faces the risk of losing its ability to transfer user information from the EU to China entirely.

Since 2018, the DPC has held enforcement authority under GDPR and has levied sanctions on several tech giants with European headquarters in Ireland.

Microsoft, LinkedIn, X (formerly Twitter), and Meta have all been fined. The rules are clear—companies can be fined up to 4% of their global turnover if they break them.

The post TikTok Fined €530 Million Over EU Data Privacy Failures appeared first on Tech | Business | Economy.

This breach compromised sensitive personal information, including details about users’ identities, locations, and personal preferences.

The Data Breach: What Happened?

In September 2018, Meta reported the incident to the Irish regulator, revealing that attackers had exploited vulnerabilities in Facebook’s “View As” feature, which lets users preview their profiles as others see them. 

Using automated scripts, unauthorised individuals were able to manipulate user tokens, gaining access to accounts and sensitive data. 

The breach exposed personal information such as full names, email addresses, phone numbers, locations, workplaces, dates of birth, religious affiliations, and posts. Particularly troubling was the exposure of children’s data.

While Meta quickly resolved the issue, the DPC’s investigation found gaps in how the company documented and responded to the breach under the EU’s General Data Protection Regulation (GDPR).

The DPC identified multiple GDPR violations and issued reprimands alongside the financial penalty. Two specific infringements stood out:

1. Breach Notification Failures: Meta failed to provide complete details in its breach notification, as required by GDPR Article 33(3). This led to an €8 million fine. The company also neglected to document the incident thoroughly, resulting in an additional €3 million penalty.
2. Inadequate System Design: Under GDPR Article 25(1) and 25(2), Meta was found to have overlooked data protection principles during the design of its systems, leaving users vulnerable. This oversight resulted in €130 million and €110 million fines, respectively.

Graham Doyle, deputy commissioner of the DPC, stressed the risks caused by such breaches, noting that Facebook profiles often contain sensitive information such as political views, religious beliefs, and sexual orientation. The exposure of these details could lead to significant misuse, affecting individuals’ privacy and safety.

This penalty is added to current enforcement against Meta by European regulators. Since GDPR’s introduction in 2018, Meta has faced nearly €3 billion in fines, including a record €1.2 billion penalty in 2023. The company has revealed its intention to appeal the latest ruling.

While this fine points to Europe’s focus on protecting personal data, similar investigations is growing in other regions. 

In July 2024, Nigeria’s Federal Competition and Consumer Protection Commission (FCCPC) and Nigeria Data Protection Commission (NDPC) jointly fined Meta $220 million for privacy violations and abuse of dominance. 

These findings accused the company of unauthorised data transfers, cross-border storage without compliance, and discriminatory practices.

The post Meta Fined €251 Million Over 2018 Facebook Data Breach Affecting 29 Million Users appeared first on Tech | Business | Economy.

This follows an investigation into the platform’s handling of personal data, specifically concerning its methods for behavioural analysis and targeted advertising.

The inquiry, prompted by a complaint from the French Data Protection Authority, concluded that LinkedIn had failed to comply with provisions of the General Data Protection Regulation (GDPR). 

Notably, the DPC identified serious violations regarding the legality, fairness, and transparency of how LinkedIn processed user data.

Key findings revealed that LinkedIn did not secure valid consent from users for the utilisation of their personal data in targeted advertising, breaching Article 6(1)(a) of the GDPR. 

The consent that was acquired was deemed neither freely given nor sufficiently informed, infringing on the fundamental rights of the platform’s users. Furthermore, the DPC also noted that LinkedIn misrepresented its use of user data under the guise of legitimate interests, as outlined in Article 6(1)(f) of the GDPR.

In this case, the company’s interests were found to be overridden by the rights of its users, thereby rendering the processing unlawful.

In its assessment, the DPC also determined that LinkedIn wrongly relied on Article 6(1)(b) of the GDPR, which pertains to contractual necessity, to justify its data processing for behavioural analysis—asserting this was not essential for fulfilling user agreements. 

Added to these, LinkedIn failed to provide users with clear information regarding the legal bases upon which it relied for processing their data, violating Articles 13(1)(c) and 14(1)(c) of the GDPR.

Graham Doyle, deputy commissioner of the DPC, stressed the importance of lawful data processing in protecting user rights. He stated, “The lawfulness of processing is a fundamental aspect of data protection law, and processing personal data without an appropriate legal basis is a clear and serious violation of a data subject’s fundamental right to data protection.”

In light of the ruling, LinkedIn has been directed to reform its data processing methods to align with GDPR requirements. 

The post LinkedIn Hit with €310 Million Fine by Irish Data Regulator for GDPR Breaches appeared first on Tech | Business | Economy.